Search
Total
46623 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2012-1257 | 1 Pidgin | 1 Pidgin | 2019-11-21 | 2.1 LOW | 5.5 MEDIUM |
| Pidgin 2.10.0 uses DBUS for certain cleartext communication, which allows local users to obtain sensitive information via a dbus session monitor. | |||||
| CVE-2019-12311 | 1 Sandline | 1 Centraleyezer | 2019-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sandline Centraleyezer (On Premises) allows Unrestricted File Upload leading to Stored XSS. An HTML page running a script could be uploaded to the server. When a victim tries to download a CISO Report template, the script is loaded. | |||||
| CVE-2019-12299 | 1 Sandline | 1 Centraleyezer | 2019-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Sandline Centraleyezer (On Premises) allows Stored XSS using HTML entities in the name field of the Category section. | |||||
| CVE-2019-17085 | 1 Microfocus | 1 Operations Agent | 2019-11-21 | 4.0 MEDIUM | 6.5 MEDIUM |
| XXE attack vulnerability on Micro Focus Operations Agent, affected version 12.0, 12.01, 12.02, 12.03, 12.04, 12.05, 12.06, 12.10, 12.11. The vulnerability could be exploited to do an XXE attack on Operations Agent. | |||||
| CVE-2013-2092 | 1 Dolibarr | 1 Dolibarr | 2019-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php. | |||||
| CVE-2013-0193 | 1 Matomo | 1 Matomo | 2019-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: This is a different vulnerability than CVE-2013-0194 and CVE-2013-0195. | |||||
| CVE-2013-0195 | 1 Matomo | 1 Matomo | 2019-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: This is a different vulnerability than CVE-2013-0193 and CVE-2013-0194. | |||||
| CVE-2013-0194 | 1 Matomo | 1 Matomo | 2019-11-21 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in Piwik before 1.10.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: This is a different vulnerability than CVE-2013-0193 and CVE-2013-0195. | |||||
| CVE-2019-11139 | 2 Intel, Opensuse | 115 Xeon 3104, Xeon 3104 Firmware, Xeon 3106 and 112 more | 2019-11-21 | 2.1 LOW | 6.0 MEDIUM |
| Improper conditions check in the voltage modulation interface for some Intel(R) Xeon(R) Scalable Processors may allow a privileged user to potentially enable denial of service via local access. | |||||
| CVE-2018-0586 | 1 Ultimatemember | 1 User Profile \& Membership | 2019-11-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| Directory traversal vulnerability in the shortcodes function of Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to read arbitrary files via unspecified vectors. | |||||
| CVE-2018-0585 | 1 Ultimatemember | 1 Ultimate Member | 2019-11-20 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2018-20965 | 1 Ultimatemember | 1 Ultimate Member | 2019-11-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| The ultimate-member plugin before 2.0.4 for WordPress has XSS. | |||||
| CVE-2018-0587 | 1 Ultimatemember | 1 User Profile \& Membership | 2019-11-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| Unrestricted file upload vulnerability in Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated users to upload arbitrary image files via unspecified vectors. | |||||
| CVE-2018-0589 | 1 Ultimatemember | 1 User Profile \& Membership | 2019-11-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to add a new form in the 'Forms' page via unspecified vectors. | |||||
| CVE-2018-0590 | 1 Ultimatemember | 1 User Profile \& Membership | 2019-11-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| Ultimate Member plugin prior to version 2.0.4 for WordPress allows remote authenticated attackers to bypass access restriction to modify the other users profiles via unspecified vectors. | |||||
| CVE-2018-0577 | 1 Google Map Project | 1 Google Map | 2019-11-20 | 3.5 LOW | 5.4 MEDIUM |
| Cross-site scripting vulnerability in WP Google Map Plugin prior to version 4.0.4 for WordPress allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | |||||
| CVE-2012-0842 | 2 Debian, Suckless | 2 Debian Linux, Surf | 2019-11-20 | 2.1 LOW | 5.5 MEDIUM |
| surf: cookie jar has read access from other local user | |||||
| CVE-2019-19084 | 1 Octopus | 1 Octopus Deploy | 2019-11-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| In Octopus Deploy 3.3.0 through 2019.10.4, an authenticated user with PackagePush permission to upload packages could upload a maliciously crafted package, triggering an exception that exposes underlying operating system details. | |||||
| CVE-2019-12637 | 1 Cisco | 1 Identity Services Engine | 2019-11-20 | 3.5 LOW | 5.4 MEDIUM |
| Multiple vulnerabilities in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to conduct cross-site scripting (XSS) attacks against a user of the web-based management interface. The vulnerabilities are due to insufficient validation of user-supplied input that is processed by the web-based management interface. An attacker could exploit these vulnerabilities by persuading a user of the interface to click a crafted link. A successful exploit could allow the attacker to execute arbitrary script code in the context of the interface or access sensitive, browser-based information. | |||||
| CVE-2019-17112 | 1 Zohocorp | 1 Manageengine Datasecurity Plus | 2019-11-20 | 4.0 MEDIUM | 4.3 MEDIUM |
| An issue was discovered in Zoho ManageEngine DataSecurity Plus before 5.0.1 5012. An exposed service allows a basic user ("Operator" access level) to access the configuration file of the mail server (except for the password). | |||||
| CVE-2018-19522 | 1 Driveragent | 1 Driveragent | 2019-11-20 | 2.1 LOW | 5.5 MEDIUM |
| DriverAgent 2.2015.7.14, which includes DrvAgent64.sys 1.0.0.1, allows a user to send an IOCTL (0x800020F4) with a buffer containing user defined content. The driver's subroutine will execute a wrmsr instruction with the user's buffer for partial input. | |||||
| CVE-2011-1489 | 3 Debian, Opensuse, Rsyslog | 3 Debian Linux, Opensuse, Rsyslog | 2019-11-20 | 2.1 LOW | 5.5 MEDIUM |
| A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages were logged when multiple rulesets were used and some output batches contained messages belonging to more than one ruleset. A local attacker could cause denial of the rsyslogd daemon service via a log message belonging to more than one ruleset. | |||||
| CVE-2011-1490 | 3 Debian, Opensuse, Rsyslog | 3 Debian Linux, Opensuse, Rsyslog | 2019-11-20 | 2.1 LOW | 5.5 MEDIUM |
| A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when multiple rulesets were used and some output batches contained messages belonging to more than one ruleset. A local attacker could cause denial of the rsyslogd daemon service via a log message belonging to more than one ruleset | |||||
| CVE-2019-15472 | 1 Mi | 2 A2 Lite, A2 Lite Firmware | 2019-11-20 | 2.1 LOW | 5.5 MEDIUM |
| The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. | |||||
| CVE-2019-18651 | 1 3xlogic | 2 Infinias Access Control, Infinias Access Control Firmware | 2019-11-20 | 5.8 MEDIUM | 6.5 MEDIUM |
| A cross-site request forgery (CSRF) vulnerability in 3xLogic Infinias Access Control through 6.6.9586.0 allows remote attackers to execute malicious and unauthorized actions (e.g., delete application users) by sending a crafted HTML document or encoded URL to a user that the website trusts. The user needs to have an active privileged session. | |||||
| CVE-2019-17057 | 1 Footy | 1 Tipping Software | 2019-11-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Footy Tipping Software AFL Web Edition 2019 allows XSS. | |||||
| CVE-2014-2312 | 1 Intel | 1 Thermald | 2019-11-20 | 6.6 MEDIUM | 5.5 MEDIUM |
| The main function in android_main.cpp in thermald allows local users to write to arbitrary files via a symlink attack on /tmp/thermald.pid. | |||||
| CVE-2019-15054 | 1 Getmailbird | 1 Mailbird | 2019-11-20 | 4.3 MEDIUM | 6.1 MEDIUM |
| Multiple cross-site scripting (XSS) vulnerabilities in Mailbird before 2.7.5.0 r allow remote attackers to execute arbitrary JavaScript in a privileged context via a crafted HTML mail message. This vulnerability is distinct from CVE-2015-4657. | |||||
| CVE-2019-18373 | 1 Symantec | 1 Norton App Lock | 2019-11-20 | 4.4 MEDIUM | 5.6 MEDIUM |
| Norton App Lock, prior to 1.4.0.503, may be susceptible to a bypass exploit. In this type of circumstance, the exploit can allow the user to circumvent the app to prevent it from locking other apps on the device, thereby allowing the individual to gain access. | |||||
| CVE-2019-15468 | 1 Mi | 2 A2 Lite, A2 Lite Firmware | 2019-11-20 | 2.1 LOW | 5.5 MEDIUM |
| The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/daisy/daisy_sprout:9/PKQ1.180917.001/V10.0.3.0.PDLMIXM:user/release-keys contains a pre-installed app with a package name of com.huaqin.factory app (versionCode=1, versionName=QL1715_201812071953) that allows unauthorized wireless settings modification via a confused deputy attack. This capability can be accessed by any app co-located on the device. | |||||
| CVE-2019-3423 | 1 Ztehome | 2 C520v21, C520v21 Firmware | 2019-11-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| permission and access control vulnerability, which exists in V2.1.14 and below versions of C520V21 smart camera devices. An attacker can construct a URL for directory traversal and access to other unauthorized files or resources. | |||||
| CVE-2019-0388 | 1 Sap | 1 Ui | 2019-11-20 | 5.0 MEDIUM | 5.3 MEDIUM |
| SAP UI5 HTTP Handler (corrected in SAP_UI versions 7.5, 7.51, 7.52, 7.53, 7.54 and SAP UI_700 version 2.0) allows an attacker to manipulate content due to insufficient URL validation. | |||||
| CVE-2019-17427 | 1 Redmine | 1 Redmine | 2019-11-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| In Redmine before 3.4.11 and 4.0.x before 4.0.4, persistent XSS exists due to textile formatting errors. | |||||
| CVE-2019-15473 | 1 Mi | 2 A2 Lite, A2 Lite Firmware | 2019-11-19 | 2.1 LOW | 5.5 MEDIUM |
| The Xiaomi Mi A2 Lite Android device with a build fingerprint of xiaomi/jasmine/jasmine_sprout:9/PKQ1.180904.001/V10.0.2.0.PDIMIFJ:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. | |||||
| CVE-2019-15475 | 1 Mi | 2 A3, A3 Firmware | 2019-11-19 | 2.1 LOW | 5.5 MEDIUM |
| The Xiaomi Mi A3 Android device with a build fingerprint of xiaomi/onc_eea/onc:9/PKQ1.181021.001/V10.2.8.0.PFLEUXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. | |||||
| CVE-2012-4439 | 1 Jenkins | 1 Jenkins | 2019-11-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URL that points to Jenkins. | |||||
| CVE-2012-4440 | 1 Jenkins | 1 Jenkins | 2019-11-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the Violations plugin. | |||||
| CVE-2012-4441 | 1 Jenkins | 1 Jenkins | 2019-11-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Cross-site Scripting (XSS) in Jenkins main before 1.482 and LTS before 1.466.2 allows remote attackers to inject arbitrary web script or HTML in the CI game plugin. | |||||
| CVE-2019-11179 | 1 Intel | 85 Baseboard Management Controller Firmware, Bbs2600bpb, Bbs2600bpbr and 82 more | 2019-11-19 | 4.0 MEDIUM | 6.5 MEDIUM |
| Insufficient input validation in Intel(R) Baseboard Management Controller firmware may allow an authenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2019-10070 | 1 Apache | 1 Atlas | 2019-11-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| Apache Atlas versions 0.8.3 and 1.1.0 were found vulnerable to Stored Cross-Site Scripting in the search functionality | |||||
| CVE-2019-15743 | 1 Sony | 2 Xperia Touch, Xperia Touch Firmware | 2019-11-19 | 2.1 LOW | 5.5 MEDIUM |
| The Sony Xperia Touch Android device with a build fingerprint of Sony/blanc_windy/blanc_windy:7.0/LOIRE-SMART-BLANC-1.0.0-170530-0834/1:user/dev-keys contains a pre-installed app with a package name of com.sonymobile.android.maintenancetool.testmic app (versionCode=24, versionName=7.0) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record audio to external storage. | |||||
| CVE-2019-15474 | 1 Mi | 2 Cepheus, Cepheus Firmware | 2019-11-19 | 2.1 LOW | 5.5 MEDIUM |
| The Xiaomi Cepheus Android device with a build fingerprint of Xiaomi/cepheus/cepheus:9/PKQ1.181121.001/V10.2.6.0.PFAMIXM:user/release-keys contains a pre-installed app with a package name of com.qualcomm.qti.callenhancement app (versionCode=28, versionName=9) that allows unauthorized microphone audio recording via a confused deputy attack. This capability can be accessed by any app co-located on the device. This app allows a third-party app to use its open interface to record telephone calls to external storage. | |||||
| CVE-2019-6663 | 1 F5 | 16 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 13 more | 2019-11-19 | 4.3 MEDIUM | 5.5 MEDIUM |
| The BIG-IP 15.0.0-15.0.1, 14.0.0-14.1.2.2, 13.1.0-13.1.3.1, 12.1.0-12.1.5, and 11.5.1-11.6.5.1, BIG-IQ 7.0.0, 6.0.0-6.1.0, and 5.2.0-5.4.0, iWorkflow 2.3.0, and Enterprise Manager 3.1.1 configuration utility is vulnerable to Anti DNS Pinning (DNS Rebinding) attack. | |||||
| CVE-2019-16761 | 1 Simpleledger | 1 Slp-validate | 2019-11-19 | 4.9 MEDIUM | 6.1 MEDIUM |
| A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slp-validate@1.0.0 npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. All versions >1.0.0 have been patched. | |||||
| CVE-2011-1488 | 3 Debian, Opensuse, Rsyslog | 3 Debian Linux, Opensuse, Rsyslog | 2019-11-19 | 1.9 LOW | 5.5 MEDIUM |
| A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent within short periods of time. | |||||
| CVE-2019-16762 | 1 Simpleledger | 1 Slpjs | 2019-11-19 | 4.9 MEDIUM | 6.1 MEDIUM |
| A specially crafted Bitcoin script can cause a discrepancy between the specified SLP consensus rules and the validation result of the slpjs npm package. An attacker could create a specially crafted Bitcoin script in order to cause a hard-fork from the SLP consensus. Affected users can upgrade to any version >= 0.21.4. | |||||
| CVE-2019-11172 | 1 Intel | 85 Baseboard Management Controller Firmware, Bbs2600bpb, Bbs2600bpbr and 82 more | 2019-11-19 | 5.0 MEDIUM | 5.3 MEDIUM |
| Out of bound read in Intel(R) Baseboard Management Controller firmware may allow an unauthenticated user to potentially enable information disclosure via network access. | |||||
| CVE-2019-19040 | 1 Kairosdb Project | 1 Kairosdb | 2019-11-19 | 4.3 MEDIUM | 6.1 MEDIUM |
| KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring. | |||||
| CVE-2019-16707 | 1 Hunspell Project | 1 Hunspell | 2019-11-19 | 4.3 MEDIUM | 6.5 MEDIUM |
| Hunspell 1.7.0 has an invalid read operation in SuggestMgr::leftcommonsubstring in suggestmgr.cxx. | |||||
| CVE-2019-6662 | 1 F5 | 13 Big-ip Access Policy Manager, Big-ip Advanced Firewall Manager, Big-ip Analytics and 10 more | 2019-11-18 | 4.0 MEDIUM | 6.5 MEDIUM |
| On BIG-IP 13.1.0-13.1.1.4, sensitive information is logged into the local log files and/or remote logging targets when restjavad processes an invalid request. Users with access to the log files would be able to view that data. | |||||